Archives
Archives
| From: | Grant <emailgrant@×××××.com> | ||
|---|---|---|---|
| To: | Gentoo mailing list <gentoo-user@l.g.o> | ||
| Subject: | Re: [gentoo-user] {OT} RAM & apache MaxClients (rock & a hard place) | ||
| Date: | Mon, 11 Mar 2013 04:40:30 | ||
| Message-Id: | CAN0CFw1h0s12i3OROMCVkaAU9_GqpbtjFsPjWjCxZPGha3Y9yQ@mail.gmail.com | ||
| In Reply to: | Re: [gentoo-user] {OT} RAM & apache MaxClients (rock & a hard place) by Nilesh Govindrajan |
||
| 1 | >> You guys were so right. What an excellent http server/proxy. I used |
| 2 | >> this very simple howto: |
| 3 | >> |
| 4 | >> http://kbeezie.com/apache-with-nginx/ |
| 5 | >> |
| 6 | >> I can probably dump a lot of apache config. I still need SSL on both |
| 7 | >> servers even though only nginx faces the user? |
| 8 | >> |
| 9 | >> For imap proxy, nginx requires an HTTP auth server and I can't figure |
| 10 | >> out what that refers to. I can stick with imapproxy there. |
| 11 | > |
| 12 | > You don't need SSL at both. Only nginx is enough. |
| 13 | > But to ensure nginx performs well at SSL, follow this - http://matt.io/entry/ur |
| 14 | |
| 15 | Check out this post: |
| 16 | |
| 17 | http://www.hybridforge.com/blog/nginx-ssl-ciphers-and-pci-compliance |
| 18 | |
| 19 | They show you how to disable the slow DHE ciphers and also how to make |
| 20 | nginx immune to the BEAST SSL vulnerability: |
| 21 | |
| 22 | ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH; |
| 23 | ssl_prefer_server_ciphers on; |
| 24 | |
| 25 | They also mention this for PCI compliance (which disables SSLv2): |
| 26 | |
| 27 | ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; |
| 28 | |
| 29 | but that seems to be the current default in nginx: |
| 30 | |
| 31 | http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols |
| 32 | |
| 33 | - Grant |